rescue: relax OpenSSH 7 key/algo restrictions

Apparently DH SHA1 key exchange algorithm is still in wide use at least within Cisco products (there's a real world case involving our user), and some still use DSA keys which might be longer than "allowed" yet not trusted anymore. See also: http://www.openssh.com/legacy.html http://bugzilla.altlinux.org/31716 http://altlinux.org/changes (Jan 2016; RU)
2016-01-22 11:59:50 +03:00 · 2016-01-22 11:59:50 +03:00 · 4de3463b81
commit 4de3463b81
parent ee590934b4
1 changed files with 19 additions and 0 deletions
--- a/features.in/rescue/rescue/image-scripts.d/50-openssh
+++ b/features.in/rescue/rescue/image-scripts.d/50-openssh
@ -0,0 +1,19 @@
+#!/bin/sh
+# re-enable insecure DSA and DH SHA1 support
+# see also: http://www.openssh.com/legacy.html
+
+# any openssh at all?
+[ -d /etc/openssh ] && cd /etc/openssh || exit 0
+
+# is it p7 or earlier (which won't grok the lines added below)?
+[ $(rpmvercmp $(rpmquery --qf='%{VERSION}' openssh-common) 7.0) != "-1" ] ||
+	exit 0
+
+KEY_TYPES="PubkeyAcceptedKeyTypes +ssh-dss,ssh-dss-cert-v01@openssh.com"
+KEX_ALGOS="KexAlgorithms +diffie-hellman-group1-sha1"
+
+grep -qs "^$KEY_TYPES" sshd_config || echo "$KEY_TYPES" >> sshd_config
+grep -qs "^$KEY_TYPES" ssh_config  || echo "$KEY_TYPES" >> ssh_config
+grep -qs "^$KEX_ALGOS" ssh_config  || echo "$KEX_ALGOS" >> ssh_config
+
+: